Tag: Security

[Source: The following announcement from Discover was sent to customers via email on 5 Oct 2017.]

What you can do with Discover:

Check your Social Security number and New Account alerts. You’ll get an alert if we find your Social Security number on any of thousands of risky websites, or if any new accounts show up on your credit report. [View Page]

What We’re Being Told

According to national news coverage, due to regulatory changes, we’re told that internet service providers can now track our personal web browsing, save it indefinitely, and sell this information to the highest bidder. As a result, increased concern about internet privacy has prompted a rise in advertising for Virtual Private Network (VPN) services. Top security firms and analysts are warning that this threat is real and consumers should be very afraid.

Common Sense

Let’s take a step back for a moment and apply some common sense here. What’s being reported in the news is that your internet activity is tracked based on the IP address of your computer, and the fact that your name is on the internet service account.

As someone in IT for over 30 years, I’m telling you this just doesn’t make sense. Watch how quickly this unravels.

First of all, if you’re like 95% of consumers, your ‘computer’ doesn’t have a public IP address. Your cable modem or DSL modem has an IP address, but not your computer. If you live in a household, apartment, dorm, or are visiting a coffee shop or hotel, in all of these situations, you’re likely sharing that same modem/router IP address with other people using computers, phones, and tablets. When guests are at your home, they are sharing your modem and router. How is an Internet service provider going to know who is who? They won’t.

Will the data they gather ‘about you’ be of any value to advertisers? No.

Even more precise cookie tracking ads only seem to be able to show you ads for products you’ve already purchased. Such ads are a waste of money. We don’t want to see ads for websites and products we already know about. That advertising is a waste of money for advertisers.

Your internet browsing isn’t all done from home, it’s spread across multiple service providers including home, work, school, public transit, free public wifi, the coffee shop wifi, using your phone as a hotspot, browsing while visiting a friend’s home. You’re not going to be tracked based on IP address.

In addition to all of the above issues, many of the websites we visit today have SSL encryption. Sites that use https rather than http, like banks, online stores, and millions more, encrypt all communications between our browser and the site, hidden from our Internet service provider and hackers. So, the information exchanged is private.

If you’re visiting a lot of anarchist websites, sites about manufacturing drugs, or websites that are primarily engaged in illegal activities, you and others sharing your modem may become ‘persons of interest’ but even then it would be difficult to discern between research done for a high school writing assignment and someone intending to break the law.

When you run all of your internet traffic through a single third-party VPN service provider, you’re handing over all your internet activity to one business — rather than anonymously to many. Why would you trust that business with your internet activity and not another?

Presumably with a VPN, much of your activity will appear to be from a single IP address which makes you easier to track and identify.

So, the privacy concern that’s being propagated in the mainstream media is misrepresented, and the solution they are prescribing makes the problem worse.

How We’re Actually Tracked Online

The ways that our activity is tracked online doesn’t really have much to do with an IP address. Cookies track what sites we visit, and our computing devices each have a kind of fingerprint. The triangulation of operating system, screen size, browser we use, and other factors begins to narrow down our unique devices regardless of how we get to the Internet. You’ve no doubt noticed that ads appear on websites that seem relevant based on products you’ve recently shown an interest in. This isn’t based on your IP address, it’s based on cookies and other factors. You can start paying for a VPN service, but those ads are still going to appear, and you’ll still be tracked. With mobile devices, you’re also tracked based on your location. A VPN service won’t prevent cookies, GPS tracking, and other privacy invasion issues.

When AntiVirus Software Advertises

One of the promises of today’s internet security software is to remove annoying pop-up ads caused by malware. Yet, sometimes antivirus software can be the source of misleading or confusing ads. Over the years, Avast has been one of the better antivirus programs available and even their free version ranks high in reviews. However, recently they’ve been looking for more ways to get consumers to buy additional services. For example, their antivirus software will report a frequent alert and warning about system performance issues. When you respond to the alert, they suggest buying their system cleanup software. Even on a computer with a fresh installation of Windows, and no other software installed except Avast, the error about system cleanup needed will appear. This is similar to what’s referred to as “scare-ware” which is software that scares consumers into buying when perhaps no serious threat exists. Avast software alerts users to passwords saved in browsers as a way of selling their password manager.

The ad below is an example of how Avast is now pushing out pop-up ads for their SecureLine VPN service. This pop-up ad began on 6 April 2017 and has been showing up daily. So, Avast is basically using their antivirus software as a way into your computer for purposes of advertising additional products and services. Unfortunately, the Avast SecureLine VPN isn’t rated well based on the cost and features it offers.

Do VNP Services Really Offer Privacy?

The list of advantages provided in the Avast pop-up advertisement above offers an itemized list of benefits that VPN services supposedly provide. This just isn’t true. Take a look at the following claims:

“Surf 100% anonymously every time”

“Hide your online activity from hackers”

“Leave no trace of your activities”

These claims aren’t exactly true. Your searching activity will be known by the owners of websites you login to. Also, browsers save your searching history and may be storing that information in the cloud. Malware on your computer could be tracking your internet activity as well as login passwords. As explained above, there are many other ways to track a person’s browsing history that have nothing to do with a specific IP address.

Avast SecureLine VPN claims that you can “Access region-locked content easily.” That’s true. People visiting China or other restrictive countries may have trouble accessing some U.S.-based websites. VPN services can help by giving you access to content censored in some countries. However, that’s irrelevant for most consumers.

How Can We Protect Our Online Privacy?

The greater threats to privacy will come from malware, hackers, viruses, and security breaches like the 1.5 billion Yahoo accounts that were hacked, or the 11 million government military and cyber personnel files, criminal records, and health records that were recently stolen. The websites you visit are not your greatest concern.

Here are a few steps you can take to have greater privacy:

HTTPS Everywhere. Consider using the free HTTPS Everywhere browser plugin to encrypt your visits to websites. (Thanks to SJ for this suggestion.)

Limit Social Media Use. One of the problems with sharing so much personal information through social media is that hackers can use that information to guess passwords. Crooks know when you’re on vacation and plan robberies accordingly. Identity thieves can take all your online photos, and create imposter accounts, then commit fraud with your friends and family. (Thanks to NJ for the suggestion to add these cautions).

Mobile Hotspot. Rather than taking a chance with unsecured public networks, consider using the built-in mobile hotspot on your phone. Use your mobile device as a hotspot and stay off any networks that you don’t trust.

VPN. It should be pointed out that VPN services could be helpful when using unsecured public wifi hotspots at hotels or coffee shops. Using a VPN could help encrypt all your traffic to any local hackers who might be monitoring local network traffic at the packet level. Additionally, while communications is secure with SSL sites, it could be helpful to encrypt what websites you visit — at least not make it public to your internet service provider. (Thanks to Tim at FriendlyTechie.net for making this additional point.)

We’re Already Giving Away Our Privacy

Millions of people have relinquished their right to personal privacy with social media sites like Facebook, allowing companies to know our friends, interests, and many details of our life. This has inspired movies like “The Circle” — see trailer below.

If you’re using Avast AntiVirus for Mac and would like to use the Apple Mail program, you may notice a security certificate error when trying to access your email provider.

Avast has a 23 page document explaining how to correct this error. The steps involve exporting a certificate from Avast and importing it into your mail client.

Alternative Option

If you don’t care about scanning inbound emails, you can enter your email server address as an exception and Avast won’t try to scan emails from that server. See the example below. To find this screen, open Avast, choose Preferences, then select settings for the Mail Shield. Press the + button to add your mail server.

STEP 1 – Open Avast

STEP 2 – CHOOSE PREFERENCES

STEP 3 – ADD YOUR EMAIL SERVER

Replace the example below with your own email host. Use POP or IMAP as needed.

Problem Summary

We’re all familiar with the warning to be cautious when accepting emails or social media requests from people we don’t know. Now it’s important to use caution when accepting friend requests from those we do know. Here’s why.

Scammers will setup a fake ‘imposter’ Facebook account using your friend’s name and maybe two or three of their photos. Then they will send you a friend request.

Because the friend request comes from someone you know, you’re less likely to be skeptical about it.

Additionally, because a few of your common friends will have already been duped into the scam, when you see the request come in, you’ll see that you have several friends in common and that will further reassure you that the request is legitimate.

At this point, the snowball effect begins. The people behind these scams seek to build massive databases of names and personal information for identity theft, social engineering, and hacking into accounts.

You and those you know, who may have their Facebook content marked as ‘viewable by my friends and their friends’ are exposed to having all their content and list of friends stolen and misused.

So, for this reason, be VERY careful when accepting friend requests on Facebook even from people you know.

What To Do if You’re the Target

If someone has setup an imposter account pretending to be you, don’t post a message saying “my account has been hacked” because then your friends won’t know which account to trust. Explain that your account hasn’t been hacked, but that someone setup a new ‘fake / imposter’ account in your name and that you’re reporting it. Then follow the instructions on this page to report it and have it shut down.

Identification and Prevention – 3 Easy Steps

Here are three easy steps to identify and prevent fake accounts. (source)

Take a few seconds to look and see if you are already friends with that person. If so, the new one is likely fake.

Glance at the profile for the person making the request. Does it look legitimate? Often the fake accounts have only a few simple posts.

Communicate with the person making the request. Send a message: “Hi ____, I’m just making sure this is really you.” If they reply by telling you that Facebook is giving away a million dollars, it’s probably fake.

If it’s fake, take a moment to report it quickly before the scam spreads. Use the steps below.

How to Report and Shut Down Imposters

Because this is becoming a very prevalent problem, Facebook has improved the mechanism for reporting it. Follow the instructions shown below. Click the image for a larger view. In step 4 you can indicate whether someone is pretending to be you or someone you know.

Further Reading

Here are some additional articles on the topic of Facebook safety and how to avoid Facebook scams.

“On Monday, 25 July 2016, I was interviewed by our local Fox News affiliate on the topic of email security. The report is archived below, the original is online.” ~ Greg Johnson

Video

Full Report

CEDAR RAPIDS, Iowa (CBS2/FOX28) — Hackers have already disrupted the Democratic Party after releasing many damaging emails from the Democratic National Committee. They were embarrassing for party leaders and will likely result in at least the party chair stepping down this week.

But IT security for political groups and organizations at many different levels often balances on human error.

Running a campaign is a lot like a small business. There’s plenty of things to spend money on. With so much technology all around us, it’s often not an area where campaigns spend a lot of extra resources.

Physical protection is generally something we think politicians and their Secret Service Agents get right, especially at the highest levels.

CBS2/FOX28 spoke to local campaigns and elected officials from both major political parties about their IT security. They say, generally, campaign staff email is handled through services like Google’s Gmail and some additional security options within those programs. Rarely will even the most Congressional races have a dedicated IT team to keep it safe.

“Just using Google, or some similar service, steps it up a bit, but it’s not entirely secure,” said Johnson.

Once a candidate is elected to Congress, their staff is brought on to Federal Government systems. That’s usually a step above most security, but Greg says it still doesn’t solve human carelessness.

“All it takes is for one person to lose their computer or have one person get their password and suddenly, that person has access to all those emails that somebody was copied on, or anything they’ve ever sent or received,” said Johnson. “It would be a huge collection of emails just from one account getting breached.”

Greg says there is encryption software that would make sure emails and information is locked and can only be accessed by someone with the right password. He says that can be free, or be as expensive at $175.

To build fake personas on Facebook which can be sold on the black market for big money.

To buy or use fake personas on Facebook to sell or promote things.

Once trust or acceptance is garnered, they use the profiles to post links to malicious websites that will infect people’s computers and/or steal passwords.

To launch social engineering campaigns via Facebook asking friends to ‘answer these ten questions about yourself’ — in order to gather personal information about people for the purpose of identity theft or hacking into people’s accounts.

There may be other reasons as well.

What You Can Do

Fake users may ask to be friends with you on Facebook. Even if you have friends in common, be careful not to friend anyone until you’ve spent at least a few minutes checking their profile. You may want to send the person a message and ask them why they were wanting to connect. If you identify a fake account, click the three dots menu icon and select Report to report the user account as shown below. By spending a few minutes, you can protect hundreds of social media friends and contacts.

Identifying Fake Profiles

Here are signs of a fake profile:

Their profile has only a few posts on the timeline.

There are spammy advertising-like posts on their timeline.

Their About page has very little information.

They claim to work for Facebook on their About page.

Although you supposedly have friends in common, you’ve never heard of the person.

You’re a middle-aged man and the person you’ve never met who wants to friend you is an attractive girl in her 20s or 30s.

Summary

The Bitdefender suite of antivirus and computer security programs recently received the rating of best product in class for Consumer Reports as well as a number one rating from other software reviewers such as articles in PC Magazine and PC World. Those using the product will enjoy its speed and simplicity. However, there are some errors and problems you’ll likely encounter when using their product and website.

Update: 7 October 2015

We received a nice response from a representative at Bitdefender regarding the concerns we’ve identified below. Hopefully we’ll see some fixes soon. Here’s their response:

7 October 2015

We apologize for any negative experience you have encountered with our products or our support. Your feedback is appreciated, and will be directed to the appropriate team for review, to enable us to improve our support and services.

If you wish to give us another chance, we would be more than happy to assist you and we will strive to provide you with the best support possible. We value all our customers thus you have all our attention if you have any other questions or need additional help.

Thank you for taking the time Greg, and please do not hesitate to contact us if you need further details from us.

Have a nice day!

Best regards,
Ionut Tacu
Bitdefender Support Team

Update: 25 September 2015

We finally received a reply from Bitdefender regarding some of our questions. Apparently the Bitdefender Central and MyBitdefender are two separate portals that do similar things. It’s possible to register with both portals. The other questions on this page remain unanswered. One of our questions was with regard to earning commissions on referrals. We did get an answer to that. So, we’re now an official Bitdefender partner and reseller, which provides some additional motivation to see that the company gets these issues resolved. However, after signing up as an affiliate, the submission confirmation page indicated that we’d receive an email with login information. That never arrived. We’re still waiting for answers to the other questions below.

Your Account Needs to be Activated Error

When you login to the My Bitdefender portal, you’ll likely see a notification stating, “Your account needs to be activated. Click here to receive an email with the activation link.” Most of the time, clicking where indicated doesn’t generate an email. If you ever get an email with an activation link, clicking the activation link never works to activate your account so the notification never goes away. Below is an example of the notification.

License Transfer Issues

Within the 2015 version of Bitdefender, when you click on the ‘days left’ link, you’d have an option to deactivate a license on a computer that you planned to discard, sell, or give away. However, as of the 2016 version, this is no longer an option. So, a crashed computer or system that you otherwise don’t have access to any longer will result in you losing one of the license installs that you paid for.

The screen shots below show how you can unregister with the 2015 version.

Click on the ‘days left’ link in the lower left shown here.

Then click on the Unregister button shown below.

The Unregister option has been removed from Bitdefender Total Security 2016. Whenever companies remove useful features, consumers generally complain and are frustrated.

Problems Installing Legitimate Programs

As of 11 October 2015, when on an Apple computer with Bitdefender 2016, an attempt to install Skype would not work. When copying the Skype program to Applications as instructed by the Skype installation, the progress bar would remain stuck at 0% complete. No indication was provided to suggest that Bitdefender was blocking the copy/install process. However, when Bitdefender Autopilot was turned off, Skype instantly copied to the Applications folder successfully.

Subscription Days Remaining Error

The screenshot below is from a Bitdefender installation on an Apple computer that has 266 days remaining in the subscription. However, in the lower right corner it’s reported that there are zero days left in the subscription. Some people might think they need to purchase a new subscription, so they will click on the Buy button and mistakenly purchase another subscription.

Bitdefender Central, as shown below, confirms that there are 266 days remaining for the above installation. Bitdefender Central maintains a real-time connection with the Bitdefender client software installed on the computer, so if there were any issues, they should showup in the Bitdefender Central display.

Support Request Page Failure

If you attempt to submit a support request ticket on the Bitdefender contact page you’ll likely be frustrated by the fact that their submit button doesn’t work. The Java code fails. This can be a problem for those wanting support. We’ve tested this on Windows and Apple computers running multiple operating system variations and using different browsers. With some browsers the CAPTCHA authentication works, and a photo-based quiz shows up to confirm you’re not a robot, but on others the CAPTCHA doesn’t work. Even when the CAPTCHA works, the Submit button still doesn’t work. This may happen after you’ve submitted one request successfully and a second request isn’t permitted. However, no message indicates why the submit isn’t working.

Affiliate, Reseller, Partner Program

Bitdefender has an affiliate / reseller / partner program. When you’re approved, you have access to a partner portal. However, the software available through the portal is last year’s software, and there doesn’t seem to be an easy way to generate simple advertisements and links (as with other affiliate programs). On October 5, an email sent to partnerprogram@bitdefender.com received an out-of-office auto reply stating, “Thank you for your message, please note that I will be out of office until 12th October. I will have limited access to my emails and they will not be forwarded.” So, apparently the one person in charge of the partner program is on vacation.

Update: It seems that Bitdefender has a partner program for support and separate affiliate programs for those wanting commissions on sales. At least of the affiliate networks is OneNetworkDirect.com where you can signup and then get advertising links to Bitdefender and other programs.

Password Reset Emails Never Received

If you attempt to login to one of the portals such as central.bitdefender.com and click the reset password link, you’ll be told that an email is going to be sent, but it never gets sent. This was documented on 22 September 2015.

Missing Operating Systems

Some of the glaring errors and oversights with the Bitdefender website make one a bit concerned about whether or not they have sufficient staffing. For example, on the contact page, the dropdown lists of operating systems are about a year old with Apple at 10.9 and Windows at version 8.1 the latest operating systems are missing. This is something that most companies would update as soon as they become available. Below is a screenshot of the operating system dropdown menu.

404 Error – Page Not Found

After uninstalling Bitdefender Total Security 2016 in Windows, your browser will launch attempting to take you to a landing page with an uninstall survey for those who’ve uninstalled. However, the landing page isn’t there, so you’ll get an error similar to the one below. Click the image for a larger view.

My Bitdefender or Bitdefender Central Confusion

It’s not clear whether or not a person should be using the My Bitdefender web portal or the Bitdefender Central web portal to manage their account. The Login button on the Bitdefedner.com website currently takes users to Bitdefender Central. However, if you had previously paid for a subscription, it won’t automatically show up there. You’ll be asked to provide a previously purchased license number, but you won’t find any in order confirmation emails or invoices from Bitdefender. The only way to activate the Bitdefender Central portal is to install a copy of Bitdefender on a computer and use your account email and password already on file for the My Bitdefender account.

Bitdefender Central is very simplistic compared to the My Bitdefender dashboard. While the My Bitdefender dashboard gives you the option to remove a licensed computer, the Bitdefender Central portal does not have such a feature. So, old computers you’re disposing of will count against your license and (until they get this fixed) you’ll never get those licenses back. They become non-transferable.

Below are some screen shots for comparison. Click any image for a larger view.

With the past few days, there have been multiple coordinated attacks on our national technology infrastructure. According to a report by the Washington Post, “FBI officials believe the attacks required expertise.”

A report in USA Today states: “Repeated and successful attacks on fiber-optic cables in California have security experts warning the Internet’s physical infrastructure is ‘basically unsecured’ and vulnerable to both casual and determined attackers.”

Today, New York Stock Exchange was taken offline, the Wall Street Journal website was taken down, and United Airlines was shut down with flights grounded from coast to coast.

One would hope that it took a sophisticated army of cyber criminals to bring down United Airlines. Yet, United Airlines claims that the nation-wide outage was due to a router failure. If we are to believe them, it’s more troubling is to think that a single point of failure, of a single component, caused a major airline to shut down.

If our infrastructure is so shoddy and fragile that it fails without any human intervention, what would happen if people tried to take it down?

The same can be said for the New York Stock Exchange and the Wall Street Journal website. It would be more comforting to know that those outages were part of a coordinated attack.

Here’s What You Can Do To Help

Given the rise in high-profile attacks, it would be wise for everyone to increase their own security efforts for personal and business computing.

You may think that you’re a much less important target for hackers than an air traffic controller, bank president, or nuclear power plant worker. However, any hacked account or computer is typically only a few relationships removed from a high level target. It’s estimated that we’re all about six degrees of separation from anyone else. Which means that every target is equally important to a hacker. Additionally, hackers work on building aggregate networks of hijacked computers for launching attacks on critical infrastructure.

Data Redundancy. Make sure your critical data is in three places: local hard drive, backup hard drive, and cloud storage. Make sure you have a regular backup plan and don’t leave your backup drives connected to any computer since new viruses attack files on all attached drives. Be sure to have more than just a backup of your current files. Keep backup of your file versions in the event that current files become corrupted and then overwrite your only backup.

Computer Security. Use a high quality paid subscription antivirus and security program such as Bitdefender or Kaspersky.

Credit Card Security. A debit card that pulls directly from your bank account, can leave you with no money in the bank if it’s stolen. That can result in bounced checks and other fees. However a credit card creates a firewall between you and thieves. If your card is stolen, you can report it and have it cancelled.

Consider having several credit cards so you can use one for online transactions and higher risk purchasing while traveling. Use one for regular monthly bills. It’s less likely to get stolen if it’s only used for a few recurring monthly bills. That way, if a more exposed travel/high-risk card is stolen. You simply need to cancel it, but won’t need to contact a dozen merchants to provide them with a new number.

For an extra measure of security, consider purchasing no-fee American Express Prepaid Reloadable credit card for online purchases. In this way, you won’t need to give out your primary credit card numbers. You can use these cards for one time payments, or refill them for ongoing use.

Financial Security. Use a service like Equifax to monitor your credit activity.

Identity Security. Use a service like LifeLock to secure your personal identity.

Password Safety. Consider using a password manager like 1Password that uses local encrypted storage of your password list. Do not store this in the cloud and do not synchronize through the Internet. Synchronize through your local network only. Maintain a copy of your passwords on your computer and also on a mobile device with biometric security (fingerprint reader). Alternatively, you can write your passwords and account information on paper and store them in a fireproof and waterproof safe. Using a multi-function home copier, you could make a backup copy and leave it in a safe place.

Redundancy. Maintain a second computer with a backup of your essential files and contacts. Have it configured to function for printing, network, email, and other functions in the event that your primary computer goes down. Create a non-computer-reliant system for your daily tasks. In other words, for all the tasks you rely on your smartphone or computer, figure out a pen and paper solution.

Social Media Security. Be vigilant when using social media. Don’t accept friend requests from people you don’t really know. It would mislead your friends into accepting a friend request from a person they think you know and approve of.

Like this:

Two-step verification is now available for Apple ID account holders. The information below is an overview from the Apple website. You need to sign-in to see these instruction on the Apple site, which you probably can’t do if you’re having trouble with logging in.

Two-step verification for Apple ID.

With two-step verification, your identity will be verified using one of your devices before you can make changes to your account, sign in to iCloud, or make iTunes or App Store purchases from a new device.

(1) You enter your Apple ID and password as usual.

(2) We send a verification code to one of your devices.

(3) You enter the code to verify your identity and complete sign in.

You will also get a Recovery Key for safekeeping which you can use to access your account if you ever forget your password or lose your device.

Simple and more secure.

Once enabled, the only way to make changes to your account will be to sign in with two-step verification.

There will be no security questions for you to remember or for other people to guess.

Only you will be able to reset your password.

If you forget your password, you can reset it with a trusted device and your Recovery Key.